The diagram below sums-up all of above:
There is a diagram in figure E.1 of ISO 14971 standard that sums-up all these concepts in a better way. I don't have the right to reproduce it here. But if you have a copy of the standard, it's worth having a look at it.

OK we've defined what a risk is, but not the link between risks and other concepts.

Risks vs defects

Let's now apply the chainning described above to critical or major defects:

When a critical or major bug happens, the software crashes or gives wrong results. Thus people are placed in an hazardous situation.

This software crash or erroneous result may lead to an injury of people, like:

A lung ventilator is controlled by software and stops --> risk of severe injury!

A PACS viewer is boggey and shows wrong images --> risk of misinterpretation by the radiologist.

The risk is the assessment of:

the gravity of the injury (see the two examples above),

the probability of occurence of the injury --> the probability of occurence of a defect.

Ouch! The probability of occurence of a defect?

I don't know the probability of occurence of a defect. You don't know either. Nobody knows!
We'll see later on how to deal with it.

Risks vs software failure

Let's continue to apply the chainning described above to software failures:

When a software failure happens, the software crashes or gives wrong results. Thus people are placed in an hazardous situation.

This software crash or erroneous result may lead to an injury of people (same examples as those for defects)

The risk is the assessment of:

the gravity of the injury,

the probability of occurence of the injury --> the probability of occurence of a software failure.

Ouch! the probability of occurence of a software failure?

We'll see later on how to deal with it.

Same chainning

What's interresting here, is that the chainning is the same for critical or major defects, and for software failures.
Remember that (as I said in my previous post):

Critical and major defects can lead to a software failure,

Minor and cosmetic defects don't,

A Software failure can happen without any defect, for other reasons, like wrong input data, hardware failure.

We can add to this that:

A defect can lead to an hazardous situation and a risk,

A software failure can also lead to an hazardous situation and a risk.

Defects and software failures vs risks

But not all of defects and software failure could represent a risk.
For example, the archive function doesn't work on your desktop computer because:

There's a defect in the software (eg, defect in the driver of the CDROM),

The USB port is out (hardware failure).

If the archive function is not used at all for medical purposes but only by the manufacturer for technical purpose, it's possible to say that there's no risk "attached" to this software failure.

Warning, though, this is a very rare case.
To sum-up: There are 99% chances that critical and major defects, and software failures lead to risks.

This is represented in the diagram below.

The big picture

We've seen that:

Most of defects (mainly the critical and major ones) generate software failures and represent a risk,

Some defects (very few), may generate software failure but don't represent a risk.

The last assertion is a bit far-fetched but is still possible ...

The big picture below summarizes all these cases.

Changes in the status of defects, software failure and risks

The status of a defect, a software failure, a risk is not frozen in the lifecycle of a software.
Especially far-fetched or very rare cases may hide more obvious situations. Namely when a critical defect or a software failure doesn't represent a risk now, it may represent a risk in the near future.
Example:

A minor defect that represent a risk that is not acceptable shall be promoted to major or critical defect,

A defect that generates a software failure, previously not seen as a risk, may represent a risk now.

The archive function I used as an example above, may become used by physicians to store patient data. Thus it is used for medical purposes and the software failure becomes risky.

Conclusion

I hope I managed to clearly differenciate all of these concepts. I guess reading this article gave you a headache. It gave me a headache writing it!
Next week, I'll post something more fun.